HQ/EMEAFind out how we can help your business
The North Korean-back state-sponsored threat group Lazarus has successfully breached the systems of Taiwanese multimedia software company CyberLink. The attackers used a sophisticated supply chain attack, trojanizing one of CyberLink’s installers to distribute malware globally.
Microsoft Threat Intelligence uncovered this suspicious activity related to the compromised CyberLink installer at the end of last month. The trojanized installer, hosted on CyberLink’s legitimate update infrastructure, is already present on more than 100 devices worldwide. The confirmed countries that have already taken this installer are Japan, Taiwan, Canada, and the United States.
CyberLink confidently linked this supply chain attack on their systems to the Lazarus hacking group.
CyberLink, one of Taiwan’s leading multimedia software providers, did not hesitate to blame the notorious Lazarus hacking group for the supply chain attack that affected their operations.
Further investigations revealed that these hackers also employed a valid code signing certificate issued to CyberLink Corp., adding it to the disallowed certificate list to prevent future misuse.
The trojanised software named LambLoad functions as a malware downloader and loader. It targets systems that do not have adequate protection from security software. If these defences are absent, the malicious executable operation is free from running its tasks.
Hence, the malware can connect with one of three command-and-control servers to retrieve a second-stage payload disguised as a PNG file.
The Lazarus hackers are notorious for employing this technique, previously seen in their attacks on legitimate crypto software solutions to steal crypto assets. While Microsoft has yet to detect active engagement by the threat actors, the Lazarus group is still notorious for their multifaceted tactics, including data theft, infiltrating software build environments, downstream exploitation, and persistent access establishment.
Microsoft immediately notified the company after detecting the supply chain breach, taking further steps to inform Microsoft Defender for Endpoint customers affected by the attack. Additionally, the tech giant reported the incident to GitHub, leading to the removal of the second-stage payload.
On the other hand, the company is currently assessing the situation to create countermeasures that could stop these attackers. This incident shows the persistent and evolving threats organisations face globally, so everyone should be cautious and knowledgeable about these malicious entities.
